Since Wayland has been added to the criteria for recommended Linux distros and to the Linux overview in the Knowledge Base, shouldn’t Privacy Guides recommend setting up Brave to use Wayland as well in the configuration section? Installed it yesterday and it uses XWayland by default (tested with the xwininfo
command). I’m not sure if this would negatively impact the fingerprint, but it’s possible to achieve that by setting the #ozone-platform-hint flag to Auto on brave://flags, or by adding the --enable-features=UseOzonePlatform --ozone-platform=wayland
settings to the command/desktop entry.
u can also just install it as a flatpak to make it use wayland by default
From Privacy Guides browsers page:
We advise against using the Flatpak version of Brave, as it replaces Chromium’s sandbox with Flatpak’s, which is less effective. Additionally, the package is not maintained by Brave Software, Inc.
Yeah. I need update on this
My understanding is that xwayland is just fine with regards to security. The security benefits of wayland are present regardless of whether the app is native or run via xwayland. The important part is the operating system using wayland instead of x11.
My understanding is the benefits of native wayland applications are mostly cosmetic. Better font scaling to be specific.
But I’m no expert.
From what I understand, windows in XWayland are all still bound together under the same X11 process and can look at each other’s contents and inputs. According to the Arch Wiki:
Security: XWayland is an X server, so it does not have the security features of Wayland
Ah, thank for sharing that. I guess it makes sense that the compatibility layer is singular and not sandboxed. Either for resource usage reasons or for simplicity of development.
In that case, as long as the native Wayland version of Brave is reliable, it does seem like a good idea to recommend enabling it. The fact that Brave themselves haven’t enabled it suggest that either they aren’t ready to support it, or it has some flaw(s) compared to the X11 version.
I have been using it every once in a while for the past couple weeks, although my main browser is still Firefox, so there might be issues I didn’t run into — stuff like hardware acceleration and such. I didn’t find any explanation from Brave as to why they haven’t enabled the Auto flag by default, but right now it seems like the best option, in my opinion
I have not heard this before, I would like to learn more about it, but I can’t seem to find this excerpt on the Browser section of the Privacy Guides website. I wonder if this advice has changed/was incorrect?
https://blogs.gnome.org/wjjt/2021/03/25/chromium-on-flathub/
These are 2 sources that I could find.
Although the warning about flatpak has been removed from PG’s browser recommendations page, I read a post that stated that all browsers and browser-like applications such as Thunderbird (perhaps including many Electron framework based applications such as VS Code, GitHub Desktop) should avoid using flatpak versions.
If there is some truth in what is mentioned there, it seems that there are deficiencies in informing and guiding average, ordinary users like us. These deficiencies are not only limited to the descriptions on flathub pages. For example, Mozilla officially distributes Firefox from flathub and the official help page does not include any warnings about installing Firefox on Linux. The Fedora Silverblue documentation mentions that the flatpak version of Firefox is preferable for some proprietary drivers and hardware decoding, and that a permanent switch to flatpak is planned. On OpenSUSE MicroOS, the flatpak version of Firefox is installed directly.
Perhaps it would be useful to have a general recommendation about web browsers, both for traditional Linux distributions and for immutable distributions (where any officially supported version of the browsers can be installed via distrobox or package layering) to avoid flatpak versions.
The flatpak warning has not been removed. Check the footnote next to the Linux download link for Brave.
I also don’t see the need for the stronger internal sandbox for Electron or other “browser-based” apps, where the executed code is from the developer anyway. It makes sense for a browser where you are constantly running untrusted JavaScript, but not so much for some Electron app like Element that only runs its own code.
At least, that’s my current understanding.
Wayland has been broken for me for awhile now because the nvidia implementation is not very great, it doesn’t support hw gpu acceleration.
Taking into account the other debates about Brave:
What is the conclusion of this topic?
Is there a problem with using the Flatpak Brave?
Should the observation in the guide, of not using the flatpak version of Brave, be changed or not?
We do still discourage the Brave Flatpak, mainly because it is not distributed by Brave themselves.
I think as far as sandboxing goes, our conclusion is that the difference it makes is not really enough to actively discourage browser Flatpaks as a whole, so we just note the difference and leave it up to you to decide. I don’t think a decision either way will impact ordinary users. This is why we don’t have the same warning on the Firefox Flatpak for example.